Diving Into Buhtrap Banking Trojan Activity

Cyphort recently published an article about the Buhtrap banking trojan [https://www.cyphort.com/banking-malware-buhtrap-caught-action/], targeting users of Russian and Ukrainian banks as reported in March of 2016 by Group-IB [http://www.group-ib.com/brochures/gib-buhtrap-report.pdf]. Cyphort’s insightful article analyzes the compromise chain from the website eurolab[.]ua, directing users via an apparently injected HTML script src attribute to rozhlas[.]site which served exploit code for CVE-2016-0189 (Internet Explorer 11 VBScript Engine Memory Corruption).

Detonation of the exploit code leads to the download of the first stage malware, which is responsible for profiling the system, then downloading the actual Buhtrap malware or a non-malicious binary depending upon the execution environment. Systems that show indications of being involved in certain banking operations will receive the malware (sometimes in the form of an NSIS installer package), and other systems will receive the non-malicious binary. In some cases, sandboxes won’t execute the malware properly.

The first stage malware discussed has the SHA-256 hash value of cd703f7bd0e449fbc9ccdaaae85beef2f874988236a50cd40d3f93b817d5b670. The website rozhlas[.]site (now offline) was a generic staging ground, used to host the Buhtrap malware and the non-malicious binary as well as the exploit code.

Figure 1: One Example of a General Workflow for Buhtrap Malware Installation

Selectively downloading second-stage malware depending upon target profiling is a tactic that has also been deployed by other generic malware staging/loading systems, such as Andromeda, that in some cases specifically hunt for Point of Sale operations. Analysts and incident responders need to be able to follow threat and exploitation activity to reach second stage payloads in order to gain full insight. The popularity of automated analysis environments via sandboxing unfortunately means that threat actors are continuing to invest in malware execution tactics that will decrease visibility when the payload is detonated in such an analysis environment.

While the Cyphort blog does a nice job analyzing the first stage, there is additional context and other indicators surrounding this first stage of threat activity that may be of interest to network defenders and threat intelligence analysts.

Regarding the profiled sample discussed by Cyphort – the C2 domain rozhlas[.]site appears to have only been used to serve malicious content, based on a variety of search engine inquiries that showed nothing other than threat actor activity. In addition to the aforementioned site eurolab[.]ua that pointed towards rozhlas[.]site on August 19, 2016, other sites in Russia and Ukraine were redirecting users there as well, via script src redirections. While we do not have the actual page contents in question, a list of other sites using the script src tactic during the same timeframe is as follows:

Site

Date

infored.ru

2016-08-18

waralbum.ru

2016-08-19

mobile.womenhealthnet.ru

2016-08-26

travelermap.ru

2016-09-19

Since rozhlas[.]site is clearly used by threat actors associated with Buhtrap, it is interesting to look at additional malware samples that initiate network connectivity to rozhlas[.]site.

Sample #1: Knock

a0c428ae70bfc7fff66845698fb8ce045bffb3114dde4ea2eac19561a619c6c8

This sample makes an outbound connection to http://rozhlas[.]site/knock.html, which corresponds in name to the PDB string found inside the binary C:\Users\dev\Documents\Visual Studio 2015\Projects\knock\Release\knock.pdb. This sample also contains an interesting HTTP User-Agent value used in the outbound connectivity to the knock URL. The HTTP header observed during analysis is as follows:

This User-Agent has never been observed in the wild (based upon the ASERT HTTP corpus that contains nearly 120 million HTTP client headers collected from a global vantage point) and therefore may be worthy of additional research as a reasonable part of network and/or YARA-based detection mechanism. While only one sample of this malware has been discovered so far, it may appear again. Therefore, a YARA rule to detect this sample is as follows

This sample, which appears to be a downloader according to anti-malware detection schemes (which can of course be generic and inaccurate), was discovered in the wild using the filename cache.bin.

Based on the presence of “Knock” in the code and in the network communications, it is possible that the purpose of this sample is merely to notify the coordinating threat actor (aka “botmaster”) that another machine has been compromised. It is also possible that a connection to the C2 with this unique HTTP client request triggers some other type of process, although without access to the server side code or a live C2 this is difficult to determine.

The sample was created during the execution of two other malware samples, 6e43b7aff8a151eef979493b98eec3ce447489e9ec4deab656a40ef3ed0ca6ab, and 97f80175fb58cc514bdcb79d11fe1bcec1b74422171d9493d179a90dcacd7d93 which will be profiled as sample #2 and sample #3 in this set.

Sample #2: Buhtrap Profiler, drops Knock

6e43b7aff8a151eef979493b98eec3ce447489e9ec4deab656a40ef3ed0ca6ab

This file was found at URL http://rozhlas[.]site/news/business/cache.bin on 9-7-2016.

This sample was observed to connect to http://rozhlas[.]site/news/business/release.bin with the User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0).

Analysis of a memory dump reveals a listing of 120 distinct EXE files including filename and extension. All of the extensions were .EXE, except for one instance of .ex and one instance of a .dll extension. In total, 122 files were in the list. All of these filenames match the list of banking software that Buhtrap is looking for (as provided by Cyphort at https://www.cyphort.com/wp-content/uploads/2016/09/Files.png) with the exception of the name wclnt.exe. Wclnt.exe appears to be associated with Sberbank of Russia. Sberbank is described on Wikipedia as such:

Sberbank of Russia is a Russian banking and financial services company headquartered in Moscow. Sberbank has operations in several European and post-Soviet countries.

In practice this YARA rule works best when applied against memory dumps of the first stage Buhtrap malware component, but may work on primary malware samples as well, depending upon their structure. A filesize parameter could be added into the condition section, however this value should be larger than the largest memdump in question.

Sample #4

04e473e49695503226bcc16e74765a700c53a0ed185228ac40ba371ace71e8e8

The fourth Buhtrap related sample we examine contains a URL pointing towards a known benign payload at rozhlas[.]site/news/business/release.bin.

This sample, like others, uses the filename LogParser.exe in an attempt to masquerade as the Microsoft Log Parser utility, and uses the following icon:

File properties of the malware are also intended to mimic the presence of Log Parser 2.2:

The legitimate LogParser.exe has similar properties:

This sample is signed Bit-Trejd, a point that will be discussed further in a pending writeup. The real LogParser.exe binary is signed by Microsoft, not Bit-Trejd. This suspicious signature should be a dead giveaway of a problem.

Analysis of other malware signed by this certificate will be covered in part two.

Subscribe to this blog

First Name*

Last Name*

Company*

Email*

Phone

This field is for validation purposes and should be left unchanged.

Asert

Arbor’s Security Engineering & Response Team (ASERT) delivers world-class network security research and analysis for the benefit of today’s enterprise and network operators. ASERT engineers and researchers are part of an elite group of institutions that are referred to as ‘super remediators’ and represent the best in information security. ASERT has both visibility and remediation capabilities at nearly every tier one operator and a majority of service provider networks globally.

ASERT shares operationally viable intelligence with hundreds of international Computer Emergency Response Teams (CERTs) and with thousands of network operators via in-band security content feeds. ASERT also operates the world’s largest distributed honeynet, actively monitoring Internet threats around the clock and around the globe.

Arbor Networks has collaborated with Jigsaw (formerly Google Ideas) to create a data visualization that shows how Distributed Denial of Service (DDoS) attacks have become a global problem. The data is updated daily from Arbor’s global network of sensors and can be viewed at www.digitalattackmap.com